JP2007537474A - How to protect cryptographic assemblies by homographic masking - Google Patents
How to protect cryptographic assemblies by homographic masking Download PDFInfo
- Publication number
- JP2007537474A JP2007537474A JP2007512586A JP2007512586A JP2007537474A JP 2007537474 A JP2007537474 A JP 2007537474A JP 2007512586 A JP2007512586 A JP 2007512586A JP 2007512586 A JP2007512586 A JP 2007512586A JP 2007537474 A JP2007537474 A JP 2007537474A
- Authority
- JP
- Japan
- Prior art keywords
- function
- masking
- cryptographic
- inv
- homographic
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0618—Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
- H04L9/0631—Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F7/00—Methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F7/60—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers
- G06F7/72—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic
- G06F7/724—Finite field arithmetic
- G06F7/726—Inversion; Reciprocal calculation; Division of elements of a finite field
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/002—Countermeasures against attacks on cryptographic mechanisms
- H04L9/003—Countermeasures against attacks on cryptographic mechanisms for power analysis, e.g. differential power analysis [DPA] or simple power analysis [SPA]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2207/00—Indexing scheme relating to methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F2207/72—Indexing scheme relating to groups G06F7/72 - G06F7/729
- G06F2207/7219—Countermeasures against side channel or fault attacks
- G06F2207/7223—Randomisation as countermeasure against side channel attacks
- G06F2207/7233—Masking, e.g. (A**e)+r mod n
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/04—Masking or blinding
- H04L2209/046—Masking or blinding of operations, operands or results of the operations
Abstract
Description
本発明は、秘密鍵等の秘密量を使用する暗号アルゴリズムを実施する、電子アセンブリの安全を保証する方法に関する。より厳密には、この方法は、例えば、計算の実行中に電子アセンブリの電力消費量を調べることによって秘密鍵に関する情報の入手を試みる、高次差分電力解析として知られる攻撃等、ある種の物理的攻撃に直面し脆弱でないアルゴリズムのバージョンを作ることを目的とする。 The present invention relates to a method for ensuring the security of an electronic assembly, implementing a cryptographic algorithm that uses a secret quantity such as a secret key. More precisely, this method can be applied to certain physical types, such as attacks known as higher-order differential power analysis, which attempt to obtain information about the secret key by examining the power consumption of the electronic assembly during the computation. The goal is to create a version of an algorithm that is faced with a dynamic attack and is not vulnerable.
1.1 背景
ここで検討する暗号アルゴリズムは、入力情報に従って出力情報を計算するように秘密鍵を使用する。これらのアルゴリズムには数多くの応用、例えば暗号化、復号化、署名、署名検査、認証または否認防止、その他の操作がある。数多くの応用は現在、DES等、より最近では2000年以降に全世界的暗号化標準となったAES等の、秘密鍵暗号アルゴリズムの上にそのセキュリティの基礎を置く。Joan Daemen,Vincent Rijmen:AES proposal:Rijndael(AES提案:ラインドール)を参照されたい。
1.1 Background The cryptographic algorithm considered here uses a secret key to calculate output information according to input information. These algorithms have many applications such as encryption, decryption, signature, signature verification, authentication or non-repudiation, and other operations. Numerous applications currently base their security on top of secret key encryption algorithms, such as DES, and more recently AES, which has become a worldwide encryption standard since 2000. See Joan Daemen, Vincent Rijmen: AES proposal: Rijndael (AES proposal: Rheindoll).
最新バージョンはインターネットで入手できる、 http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf。暗号技術においてはこれらの暗号アルゴリズムが研究されており、知られている最良の攻撃に対し安全であることが証明されている。したがってこれらの暗号ソリューションの場合、セキュリティは主に使用する秘密鍵のセキュリティに左右される。残念ながら、PCに蓄積されるデータ項目のセキュリティも、人間が記憶するパスワードのセキュリティも、深刻には受け止められない。したがって、スマートカード等の独立した安全なモジュールに秘密量を蓄積することが不可欠となっている。 The latest version is available on the Internet, http: // csrc. nist. gov / encryption / aes / rijndael / Rijndael. pdf. In cryptography, these cryptographic algorithms have been studied and proven to be safe against the best known attacks. Thus, for these cryptographic solutions, security depends primarily on the security of the secret key used. Unfortunately, neither the security of data items stored in the PC nor the security of passwords stored by humans can be taken seriously. Therefore, it is indispensable to store the secret amount in an independent secure module such as a smart card.
1.2 問題:埋め込みアルゴリズムの保護
暗号アルゴリズムは、理想的な数学的世界の中では完璧に安全ではあるが、実世界においてはこの限りでない。スマートカードはエネルギーを放射し、電流を消費し、結果として、秘密量に依存する情報はサイクルごとにカードから逃げ出る。
1.2 Problem: Protection of embedded algorithms Cryptographic algorithms are perfectly secure in the ideal mathematical world, but not in the real world. Smart cards emit energy, consume current, and as a result, information that depends on the secret amount escapes from the card every cycle.
真に安全となるためには、アルゴリズムの中間データはこの秘密量についていかなる情報をも提供してはならない。加えて、新しい攻撃が開発されている。以下の文書を参照されたい。 To be truly secure, the intermediate data of the algorithm must not provide any information about this secret quantity. In addition, new attacks are being developed. Please refer to the following documents.
P.Kocher,J.Jaffe,B.Jun,「差分電力解析と関係する攻撃の紹介(Introduction to Differential Power Analysis and Related Attacks)」Technical Report,Cryptography Research Inc.,1998。http://www.cryptography.com/dpa/technical/index.htmlから入手可能。 P. Kocher, J. et al. Jaffe, B .; Jun, “Introduction to Differential Power Analysis and Related Attacks”, Technical Report, Cryptographic Research Inc. 1998. http: // www. cryptography. com / dpa / technical / index. Available from html.
T.S.Messerges,「二次電力解析を用いたDPA抵抗ソフトウェア攻撃(Using Second−Order Power Analysis to Attack DPA Resistant software)」In Proceedings of CHES’2000,LNCS 1965,pp.238−251,Springer−Verlag,2000。 T. T. et al. S. Messerges, “DPA Resistance Software Attack Using Secondary Power Analysis”, In Proceedings of CHES'2000, p. 1NC. 238-251, Springer-Verlag, 2000.
これらは高次攻撃として知られている(例えば「二次DPA」)。これは攻撃者が、暗号アルゴリズムの実行中に逃げ出る情報を二回以上にわたり組み合わせることを意味する。この種の攻撃から保護されるためには、アルゴリズムの中間データが秘密量についていかなる情報をも提供しないだけでは、もはや不十分である。攻撃に際し、秘密量に関する任意の情報を入手するように、実行中の異なる時点に入手したデータを組み合わせることもまた不可能でなければならない。 These are known as higher order attacks (eg “secondary DPA”). This means that the attacker combines the information that escapes during the execution of the cryptographic algorithm more than once. In order to be protected from this type of attack, it is no longer sufficient that the intermediate data of the algorithm does not provide any information about the secret quantity. It must also be impossible to combine data obtained at different points in time to obtain arbitrary information about the secret amount during an attack.
1.3 制約
問題の解決法では、DPAタイプの攻撃に対し保護を提供するばかりでなく、これを「二次DPA」以上の攻撃にまで拡張することもまた可能でなければならない。解決法はまた、実行時間と使用するメモリの量に関し相応の制約を満たさなければならない。本発明の一目的は、実行時間とメモリとが、安全が保証されない実施に比べて、ブロックサイズにもAES反復の数にも依存しない、本発明によって達成できる、小さな定数倍されることである。
1.3 Constraints In the solution to the problem, it should be possible not only to provide protection against DPA-type attacks, but also to extend it to “secondary DPA” and higher attacks. The solution must also meet reasonable constraints on execution time and the amount of memory used. One object of the present invention is that execution time and memory are multiplied by a small constant that can be achieved by the present invention, independent of block size or number of AES iterations, compared to implementations where safety is not guaranteed. .
本発明は、第一、第二、またはそれ以上のDPAタイプ攻撃、SPA攻撃またはその他電子的攻撃、そして他の隠れた経路を介する攻撃に対し、AESのセキュリティを保証する。 The present invention guarantees the security of AES against first, second, or more DPA type attacks, SPA attacks or other electronic attacks, and attacks over other hidden paths.
本明細書の残りの部分では、AESアルゴリズムに特に適し、ただし他の暗号アルゴリズムにも適用できる、一般的な解決法を説明する。この問題に対する公知の解決策はどれもこれまで、その性能水準とそのメモリ使用の点で批判されてきたし、文献で公表されている攻撃にさらされてきた。 The remainder of this document describes general solutions that are particularly suitable for the AES algorithm, but can also be applied to other cryptographic algorithms. All known solutions to this problem have been criticized for their performance level and their memory usage, and have been exposed to attacks published in the literature.
本発明は、メモリに蓄積された暗号計算プロセスを実施する、プロセッサとメモリとを備える電子システムの安全を保証する方法に関し、同暗号計算プロセスは秘密量kを使用し、且つ下記タイプのホモグラフィック関数fを使用する。
・(cz+d)が0に等しくない場合、f(z)=(az+b)/(cz+d)
・f(−d/c)=a/c
The present invention relates to a method for ensuring the security of an electronic system comprising a processor and a memory for performing a cryptographic calculation process stored in a memory, the cryptographic calculation process using a secret quantity k and a homographic of the following type: Use the function f.
When (cz + d) is not equal to 0, f (z) = (az + b) / (cz + d)
F (−d / c) = a / c
関数fはマスク化変数に作用する。本方法は、任意のkについてxが関数fの入力であって且つy=f(x+k)が関数fの出力の場合に、直接的にマスク化値x+m_i(XORタイプの加法マスキング)からマスク化値y+m_jへとなるように、(ax+b)/(cx+d)と定義される、無限量の加算をともないGF(2^k)に作用する数個の変換と、二つの点を交換する変換との合成を用いて、この演算を実行することにある。 The function f acts on the masking variable. This method masks directly from the masked value x + m_i (XOR type additive masking) when x is the input of the function f for any k and y = f (x + k) is the output of the function f. A number of transformations that act on GF (2 ^ k) with an infinite amount of addition, defined as (ax + b) / (cx + d), and a transformation that exchanges two points so that it becomes the value y + m_j This is to perform this operation using synthesis.
本発明はまた、この方法を実施するシステムに関する。 The invention also relates to a system for implementing this method.
本発明による方法の目的は、秘密鍵を用いる暗号計算プロセスを実施する、電子システムと、例えばスマートカード等の埋め込みシステムとの安全を保証することにある。電子システムはプロセッサとメモリとを備える。暗号計算プロセスは、このシステムの、例えばROMタイプのメモリにインストールされる。このシステムのプロセッサは、例えばE2PROMタイプのメモリの秘密エリアに蓄積された秘密鍵を用いて、計算プロセスを実行する。 The purpose of the method according to the invention is to ensure the security of an electronic system that implements a cryptographic calculation process using a secret key and an embedded system such as a smart card. The electronic system includes a processor and a memory. The cryptographic calculation process is installed in the memory of this system, for example ROM type. The processor of this system executes a calculation process using a secret key stored in a secret area of an E2PROM type memory, for example.
本発明による方法は、ホモグラフィック保護を提供することである。 The method according to the invention is to provide homographic protection.
まず、保護の一般原理を説明する。 First, the general principle of protection will be described.
2.1 分解原則
各々の暗号システムは、加算、XOR等、いくつかの基本的演算に分解できる。
2.1 Decomposition Principle Each cryptographic system can be decomposed into several basic operations such as addition, XOR, etc.
AESの場合、演算は二つのカテゴリに分けることができる。
−従来の加法マスキングによって容易に保護される「線形」演算。これは公知であって、本発明の主題ではない。
−線形演算を除いた場合、ただひとつの演算が、すなわち0へマップされる0をともなう、有限体GF(256)等における逆演算から導き出されるラインドール(Rijndeal)Inv演算が残る。
本発明者らの関心は専らInv演算を保護することにある。
説明される解決法は、他の同様の演算にも適用される。
In the case of AES, operations can be divided into two categories.
“Linear” operations that are easily protected by conventional additive masking. This is known and not the subject of the present invention.
-Excluding linear operations, there remains a single operation, namely a Rijndal Inv operation derived from an inverse operation in a finite field GF (256), etc., with 0 mapped to 0.
Our concern is exclusively to protect Inv operations.
The solution described applies to other similar operations.
2.2 準備
Kを有限体とする。AES K=G(256)の場合。
Kにおける加算と乗算との実施に相当する、Kの実施がいくつか存在すると仮定する。例えば[AES]に定義されたものである。
2.2 Preparation Let K be a finite field. When AES K = G (256).
Assume that there are several implementations of K that correspond to implementations of addition and multiplication in K. For example, it is defined in [AES].
Invを修正されたラインドール逆関数[AES]と仮定する、すなわち、
・xが非ヌルである場合のKにおいて、Inv(x)=1/x
・Inv(0)=0
Assuming Inv is a modified Rheindoll inverse function [AES], ie
Inv (x) = 1 / x at K when x is non-null
Inv (0) = 0
Kに対する無限量として知られる点の加算によって、K’を定義する。
よってK’=K∪oo
Define K ′ by adding a point known as an infinite quantity to K.
Therefore K '= K∪oo
以下の演算としてInv’を定義する。
・xが非ヌルであって且つooに等しくない場合のKにおいて、Inv’(x)=1/x
・Inv’(0)=oo
・Inv’(oo)=0
Inv ′ is defined as the following operation.
Inv ′ (x) = 1 / x at K when x is non-null and not equal to oo
Inv ′ (0) = oo
Inv ′ (oo) = 0
本発明は、Invを計算するにあたって、本発明者らがInv’の、および0とooとを交換する演算の合成を適用できるとみなす。 The present invention considers that in calculating Inv, the present inventors can apply the composition of the operations of Inv 'and exchanging 0 and oo.
点aおよびbを交換するK’において、E[a,b]をK’の演算とする。
・xがaにもbにも等しくない場合、E[a,b](x)=x
・E[a,b](a)=b
・E[a,b](b)=a
At K ′ for exchanging points a and b, E [a, b] is an operation of K ′.
If x is not equal to a or b, E [a, b] (x) = x
E [a, b] (a) = b
E [a, b] (b) = a
2.3 演算Invをいかに表現するか
Kにおいて任意のxの場合(InvはいかなるK’においても定義されない):
Inv(x)=Inv’(E[0,oo](x))
2.3 How to represent the operation Inv For any x in K (Inv is not defined in any K ′):
Inv (x) = Inv ′ (E [0, oo] (x))
保護原則は次のとおりである:Inv’は、適度のサイズの、合成により安定的な群の一部であって、Invの場合と異なる。結果的に、Invの場合には存在しえない保護を、Inv’の場合に果たすことができる。 The protection principle is as follows: Inv 'is part of a moderately sized, synthetically stable group that differs from that of Inv. Consequently, protection that cannot exist in the case of Inv can be achieved in the case of Inv '.
この群は以下の関数の集合として定義される。 This group is defined as the set of functions
Kの要素の任意の4−uplet(a,b,c,d)においてac<>bdの場合、本発明者らは次のとおりに定義する。
関数HOM[a,b,c,d]=以下の関数:
・(cx+d)が0に等しくない場合のKにおいて、HOM[a,b,c,d](x)=(ax+b)/(cx+d)
・HOM[a,b,c,d](−d/c)=oo
・HOM[a,b,c,d](oo)=a/c
In the case of ac <> bd in any 4-uplet (a, b, c, d) of the elements of K, the present inventors define as follows.
Function HOM [a, b, c, d] = the following function:
HOM [a, b, c, d] (x) = (ax + b) / (cx + d) at K when (cx + d) is not equal to 0
HOM [a, b, c, d] (-d / c) = oo
HOM [a, b, c, d] (oo) = a / c
本発明者らはInvを実施するように、集合KにてInvに一致する以下の関数K’−>K’を書く。
Inv’oE[0,oo]
In order to implement Inv, we write the following function K ′-> K ′ that matches Inv in the set K.
Inv'oE [0, oo]
符号「o」は、通常の関数の合成を表わす。 The symbol “o” represents normal function composition.
本発明者らは次に、ホモグラフィック関数の積としてInv’を書く。
Inv’=F_1oF_2o...oF_noG_1o..G_n
We next write Inv ′ as the product of the homographic function.
Inv '= F_1oF_2o. . . oF_noG_1o. . G_n
関数F_iおよびG_iの各々は、HOM[a,b,c,d]の形をとる。 Each of the functions F_i and G_i takes the form of HOM [a, b, c, d].
Inv’は一群に属するため、この分解は恣意的に遂行される。例えば、2*n−1個の関数を無作為に選び、欠けている関数を再計算し、合成することによりInv’を作ることができる。 Since Inv ′ belongs to a group, this decomposition is performed arbitrarily. For example, Inv ′ can be created by randomly selecting 2 * n−1 functions, recalculating the missing functions, and combining them.
本発明者らは次に、KにてInvに一致する以下の関数K’−>K’を得る。
F_1oF_2o...oF_noG_1o..G_noE[0,oo]
We then obtain the following function K ′-> K ′ that matches Inv at K.
F_1oF_2o. . . oF_noG_1o. . G_noE [0, oo]
ただし、K’においてこれらの関数はどれも全単射性であるため、この関数が下記に等しくなるよう二つの点aおよびbを計算できる。
F_1oF_2o...oF_noE[a,b]oG_1o..G_n
However, since these functions are all bijective at K ′, two points a and b can be calculated so that this function is equal to:
F_1oF_2o. . . oF_noE [a, b] oG_1o. . G_n
これらの点は、a=G_1(...G_n(0))およびb=G_1(...G_n(oo))である。 These points are a = G_1 (... G_n (0)) and b = G_1 (... G_n (oo)).
本発明における保護は次のとおりに実施されるであろう。
1.F_1,F_2,...,F_n,G_1,G_nを生成する。各々はKの4要素、すなわちラインドール/AESにおける4バイトによって記述される。
2.本発明者らはaおよびbを計算する。
3.次に本発明者らはこの一連の演算を適用することにより、Invを計算する。
4.AESには数個のInvがある。1−3に定義する、実施される一連の演算は、ある一つの計算から別の計算にかけて異なってよい。
The protection in the present invention will be implemented as follows.
1. F_1, F_2,. . . , F_n, G_1, G_n are generated. Each is described by 4 elements of K, ie 4 bytes in the line doll / AES.
2. We calculate a and b.
3. Next, the inventors calculate Inv by applying this series of operations.
4). There are several Invs in AES. The series of operations performed as defined in 1-3 may vary from one calculation to another.
2.4 演算Invをいかに保護するか
安全なAES実施において、y=Inv(x)はxから計算せず、代わりにマスク化値x+m_iから直接的に計算することにより、情報を提供する中間値xおよびyを使用せず、y+m_jを直接的に得る。従って本発明者らは以下の関数を計算しなければならない。
y=Inv(x+m_i)+m_j
2.4 How to protect the operation Inv In a secure AES implementation, y = Inv (x) is not calculated from x, but instead is calculated directly from the masked value x + m_i, thereby providing an intermediate value that provides information Without using x and y, we get y + m_j directly. Therefore, we have to calculate the following function:
y = Inv (x + m_i) + m_j
Invと同じく、この関数は、HOM[a,b,c,d]の形をとる基礎的演算の組み合わせとして数多くのあり方を認めることができ、二つの点を交換する。 Like Inv, this function can recognize many ways as a combination of basic operations in the form of HOM [a, b, c, d], exchanging two points.
さらに進むことも推奨される。K_iをAESの中間鍵とする。演算x|−>Inv(x+K_i)は同じ仕方で直接的に保護できる。二点を交換した後、この演算は任意のKにて群内の特定のHOM[a,b,c,d]:K’−>K’に等しく、これはInvの場合と同じ仕方で分解できる。本発明者らは加法マスクによって保護される実施において、以下の関数を分解する必要がある。
x|−>Inv(x+K_i+m_i)+m_j
It is also recommended to go further. Let K_i be an AES intermediate key. The operation x |-> Inv (x + K_i) can be directly protected in the same way. After exchanging the two points, this operation is equal to a particular HOM [a, b, c, d]: K '->K' in the group at any K, which is decomposed in the same way as in Inv it can. We need to decompose the following function in an implementation protected by an additive mask.
x |-> Inv (x + K_i + m_i) + m_j
これは同じ仕方で遂行される。 This is accomplished in the same way.
2.5 改善
本発明者らは一つの演算の代わりに、数個の演算E[a,b]を使用できる。
2.5 Improvements We can use several operations E [a, b] instead of one operation.
各々の演算HOM[a,b,c,d]について、aが0または1に等しいと仮定できることは明白である。 It is clear that for each operation HOM [a, b, c, d] it can be assumed that a is equal to 0 or 1.
加法または乗法マスキングが使用されるときに実施を保護するように同じ方法を使用することもできるが、これは推奨されない。これらのマスキングは全単射性ではない、または特定の点を固定する、例えば乗法マスキングは0をマスクしない。ホモグラフィックマスキングはどのタイプであれ常に全単射性となるが、257値のうち一つを蓄積する必要があり、これはあまり現実的でない。すなわち1バイトで蓄積できない。 The same method can be used to protect the implementation when additive or multiplicative masking is used, but this is not recommended. These maskings are not bijective or fix certain points, for example multiplicative masking does not mask zero. Any type of homographic masking is always bijective, but one needs to accumulate one of 257 values, which is not very realistic. That is, it cannot be stored in 1 byte.
本明細書は、AES保護実施の全体を説明するものではない。 This document does not describe the entire AES protection implementation.
その目的は、保護することが最も困難な非線形成分をいかに保護するかを説明することである。アセンブリの保護は、広く知られる他の従来の保護を含んでよく、且つ含まなければならない。 Its purpose is to explain how to protect the most difficult nonlinear components to protect. The protection of the assembly may and must include other well-known conventional protections.
したがって本発明は、説明した特別な実現形態において、少なくとも関数Inv(AESと同じく0が0へマップされるGF(2^k)における逆関数)を用いる暗号計算プロセスを実施する、アセンブリを保護する方法であり、計算の中間変数xは加法マスキングx+m_iにより処理され、m_iはマスクであって且つ+はXOR演算子である方法に関し、任意のkについてxが入力であって且つy=f(x+k)の場合に、中間値を露呈することなく直接的にマスク化値x+m_iからマスク化値y+m_jへとなるように、この演算が、(ax+b)/(cx+d)の形に定義される、無限量の加算をともないGF(2^K)に作用する数個の変換と、二つの点を交換する変換との合成を用いて遂行されることを特徴とする。 The invention thus protects the assembly, which, in the particular implementation described, performs a cryptographic computation process using at least the function Inv (the inverse function in GF (2 ^ k) where 0 is mapped to 0 as in AES) The intermediate variable x of the computation is processed by additive masking x + m_i, m_i is a mask and + is an XOR operator, x is an input for any k and y = f (x + k ), This calculation is defined in the form of (ax + b) / (cx + d) so that the masked value x + m_i directly changes to the masked value y + m_j without exposing the intermediate value. Is performed using a combination of several transformations that act on GF (2 ^ K) and transformations that exchange two points.
これはまた、関数Inv(AESと同じく0が0へマップされるGF(2^k)における逆関数)を用いる暗号計算プロセスを実施する、蓄積手段を備えるシステムであり、計算の中間変数xは加法マスキングx+m_iにより処理され、m_iはマスクであって且つ+はXOR演算子であるシステムに関し、任意のkについてxが入力であって且つy=Inv(x+k)の場合に、中間値を露呈することなく直接的にマスク化値x+m_iからマスク化値y+m_jへとなるように、本発明者らがこの演算を、(ax+b)/(cx+d)の形に定義される、無限量の加算をともないGF(2^K)に作用する数個の変換と、二つの点を交換する変換との合成とみなすことを特徴とする。 This is also a system with storage means that performs a cryptographic calculation process using the function Inv (the inverse function in GF (2 ^ k) where 0 is mapped to 0 as in AES), and the intermediate variable x of the calculation is For systems where additive masking x + m_i, where m_i is a mask and + is an XOR operator, exposes intermediate values if x is input and y = Inv (x + k) for any k The GF is defined as (ax + b) / (cx + d) with the addition of an infinite amount so that the masked value x + m_i directly becomes the masked value y + m_j without any change. It is characterized as a combination of several transformations acting on (2 ^ K) and a transformation that exchanges two points.
Claims (10)
・(cz+d)が0に等しくない場合、f(z)=(az+b)/(cz+d)
・f(−d/c)=a/c
を使用する、暗号計算プロセスを実施する、アセンブリを保護する方法であって、任意のkについてxが関数fの入力であって且つy=f(x+k)が関数fの出力の場合に、直接的にマスク化値x+m_i(XORタイプの加法マスキング)からマスク化値y+m_jへとなるように、(ax+b)/(cx+d)と定義される、無限量の加算をともないGF(2^k)に作用する数個の変換と、二つの点を交換する変換との合成を用いて、この演算を実行することを特徴とする、方法。 The following types of homographic functions f on which the cryptographic computation process operates on masking variables
When (cz + d) is not equal to 0, f (z) = (az + b) / (cz + d)
F (−d / c) = a / c
A method of protecting an assembly, performing a cryptographic computation process using x, where x is the input of the function f for any k and y = f (x + k) is the output of the function f directly It acts on GF (2 ^ k) with an infinite amount of addition defined as (ax + b) / (cx + d) so that the masked value x + m_i (XOR type additive masking) is changed to the masked value y + m_j. A method characterized in that this operation is performed using a combination of several transforms that perform and transforms that exchange two points.
・(cz+d)が0に等しくない場合、f(z)=(az+b)/(cz+d)
・f(−d/c)=a/c
を使用する、電子システムであって、任意のkについてxが関数fの入力であって且つy=f(x+k)が関数fの出力の場合に、直接的にマスク化値x+m_i(XORタイプの加法マスキング)からマスク化値y+m_jへとなるように、(ax+b)/(cx+d)と定義される、無限量の加算をともないGF(2^k)に作用する数個の変換と、二つの点を交換する変換との合成を用いて、この演算を実行する手段を含むことを特徴とする、電子システム。 Computation process storage means, means for processing the cryptographic calculation process, and the cryptographic calculation process operates on a masking variable of the following type homographic function f
When (cz + d) is not equal to 0, f (z) = (az + b) / (cz + d)
F (−d / c) = a / c
Where x is the input of the function f for any k and y = f (x + k) is the output of the function f, directly masked value x + m_i (of the XOR type) Several transformations acting on GF (2 ^ k) with an infinite amount of addition, defined as (ax + b) / (cx + d), so that it becomes the masked value y + m_j from the additive masking) and two points An electronic system comprising means for performing this operation using a combination with a transformation that exchanges
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP04291204A EP1596278A1 (en) | 2004-05-11 | 2004-05-11 | Method to protect a cryptographic unit through homographic masking |
PCT/IB2005/001409 WO2005109183A1 (en) | 2004-05-11 | 2005-05-11 | Method for protecting a cryptographic assembly by a homographic masking |
Publications (2)
Publication Number | Publication Date |
---|---|
JP2007537474A true JP2007537474A (en) | 2007-12-20 |
JP4668985B2 JP4668985B2 (en) | 2011-04-13 |
Family
ID=34931091
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
JP2007512586A Expired - Fee Related JP4668985B2 (en) | 2004-05-11 | 2005-05-11 | How to protect cryptographic assemblies by homographic masking |
Country Status (6)
Country | Link |
---|---|
US (1) | US8074076B2 (en) |
EP (2) | EP1596278A1 (en) |
JP (1) | JP4668985B2 (en) |
AT (1) | ATE447737T1 (en) |
DE (1) | DE602005017485D1 (en) |
WO (1) | WO2005109183A1 (en) |
Families Citing this family (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8352400B2 (en) | 1991-12-23 | 2013-01-08 | Hoffberg Steven M | Adaptive pattern recognition based controller apparatus and method and human-factored interface therefore |
US8574074B2 (en) | 2005-09-30 | 2013-11-05 | Sony Computer Entertainment America Llc | Advertising impression determination |
US7904187B2 (en) | 1999-02-01 | 2011-03-08 | Hoffberg Steven M | Internet appliance system and method |
US8751310B2 (en) | 2005-09-30 | 2014-06-10 | Sony Computer Entertainment America Llc | Monitoring advertisement impressions |
US8763157B2 (en) | 2004-08-23 | 2014-06-24 | Sony Computer Entertainment America Llc | Statutory license restricted digital media playback on portable devices |
US8626584B2 (en) | 2005-09-30 | 2014-01-07 | Sony Computer Entertainment America Llc | Population of an advertisement reference list |
US8676900B2 (en) | 2005-10-25 | 2014-03-18 | Sony Computer Entertainment America Llc | Asynchronous advertising placement based on metadata |
US10657538B2 (en) | 2005-10-25 | 2020-05-19 | Sony Interactive Entertainment LLC | Resolution of advertising rules |
US20070118425A1 (en) | 2005-10-25 | 2007-05-24 | Podbridge, Inc. | User device agent for asynchronous advertising in time and space shifted media network |
CN103279874B (en) | 2006-05-05 | 2016-08-03 | 美国索尼电脑娱乐公司 | Advertisement rotation |
JP5242560B2 (en) * | 2007-05-30 | 2013-07-24 | パナソニック株式会社 | ENCRYPTION DEVICE, DECRYPTION DEVICE, ENCRYPTION METHOD, AND INTEGRATED CIRCUIT |
US8769558B2 (en) | 2008-02-12 | 2014-07-01 | Sony Computer Entertainment America Llc | Discovery and analytics for episodic downloaded media |
FR2941343B1 (en) * | 2009-01-20 | 2011-04-08 | Groupe Des Ecoles De Telecommunications Get Ecole Nat Superieure Des Telecommunications Enst | CIRCUIT OF CRYPTOGRAPHY, PROTECTS IN PARTICULAR AGAINST ATTACKS BY OBSERVATION OF LEAKS OF INFORMATION BY THEIR ENCRYPTION. |
US8763090B2 (en) | 2009-08-11 | 2014-06-24 | Sony Computer Entertainment America Llc | Management of ancillary content delivery and presentation |
US8731199B2 (en) * | 2012-09-28 | 2014-05-20 | Sap Ag | Zero knowledge proofs for arbitrary predicates over data |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2002366029A (en) * | 2001-06-13 | 2002-12-20 | Fujitsu Ltd | Encipherment safe against dpa(differential power analysis) |
Family Cites Families (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US4559320A (en) * | 1984-05-04 | 1985-12-17 | Phillips Petroleum Company | Catalysts for olefin conversions |
US5120894A (en) * | 1988-09-19 | 1992-06-09 | Lyondell Petrochemical Company | Olefin conversion process |
US5300718A (en) * | 1988-09-19 | 1994-04-05 | Lyondell Petrochemical Company | Olefin conversion process |
FI86298C (en) * | 1990-12-05 | 1992-08-10 | Neste Oy | METATESPROCESS FOER OLEFINER OCH KATALYSATOR FOER TILLAEMPNING AV DENNA. |
IL139935A (en) * | 1998-06-03 | 2005-06-19 | Cryptography Res Inc | Des and other cryptographic processes with leak minimization for smartcards and other cryptosystems |
US6586649B1 (en) * | 1998-09-04 | 2003-07-01 | Sasol Technology (Proprietary) Limited | Production of propylene |
FR2789072B1 (en) * | 1999-01-29 | 2001-04-13 | Inst Francais Du Petrole | PROCESS FOR THE METATHESIS OF OLEFINS IN THE PRESENCE OF A CATALYST STABILIZING AGENT |
US6295606B1 (en) * | 1999-07-26 | 2001-09-25 | Motorola, Inc. | Method and apparatus for preventing information leakage attacks on a microelectronic assembly |
JP2003513490A (en) * | 1999-10-25 | 2003-04-08 | サイファーマンクス コンサルタンツ リミテッド | Data processing method resistant to data extraction by analyzing unintended side channel signals |
US7379548B2 (en) * | 2003-01-31 | 2008-05-27 | Nds Limited | Virtual smart card device, method and system |
FR2853175B1 (en) * | 2003-03-28 | 2005-06-17 | Everbee Networks | ENCRYPTION METHOD AND SYSTEM |
US6977318B2 (en) * | 2004-05-04 | 2005-12-20 | Equistar Chemicals, Lp | Propylene production |
US7220886B2 (en) * | 2004-10-27 | 2007-05-22 | Catalytic Distillation Technologies | Olefin metathesis |
US8178737B2 (en) * | 2007-06-14 | 2012-05-15 | Lyondell Chemical Technology, L.P. | Propylene production |
-
2004
- 2004-05-11 EP EP04291204A patent/EP1596278A1/en not_active Withdrawn
-
2005
- 2005-05-11 JP JP2007512586A patent/JP4668985B2/en not_active Expired - Fee Related
- 2005-05-11 DE DE602005017485T patent/DE602005017485D1/en active Active
- 2005-05-11 AT AT05748321T patent/ATE447737T1/en not_active IP Right Cessation
- 2005-05-11 US US11/568,958 patent/US8074076B2/en not_active Expired - Fee Related
- 2005-05-11 EP EP05748321A patent/EP1745366B1/en not_active Not-in-force
- 2005-05-11 WO PCT/IB2005/001409 patent/WO2005109183A1/en not_active Application Discontinuation
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2002366029A (en) * | 2001-06-13 | 2002-12-20 | Fujitsu Ltd | Encipherment safe against dpa(differential power analysis) |
Non-Patent Citations (2)
Title |
---|
JPN6010029303, Trichina E., et al., "Simplified Adaptive Multiplicative Masking for AES", Lecture Notes in Computer Science, 2002, Vol.2523, p.187−197 * |
JPN6010029304, Golic J., et al., "Multiplicative Masking and Power Analysis of AES", Lecture Notes in Computer Science, 2002, Vol.2523, p.198−212 * |
Also Published As
Publication number | Publication date |
---|---|
EP1745366A1 (en) | 2007-01-24 |
WO2005109183A1 (en) | 2005-11-17 |
DE602005017485D1 (en) | 2009-12-17 |
US20080022126A1 (en) | 2008-01-24 |
ATE447737T1 (en) | 2009-11-15 |
EP1596278A1 (en) | 2005-11-16 |
EP1745366B1 (en) | 2009-11-04 |
JP4668985B2 (en) | 2011-04-13 |
US8074076B2 (en) | 2011-12-06 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP4668985B2 (en) | How to protect cryptographic assemblies by homographic masking | |
CN110235409B (en) | Method for protected RSA signature or decryption using homomorphic encryption | |
US8332634B2 (en) | Cryptographic systems for encrypting input data using an address associated with the input data, error detection circuits, and methods of operating the same | |
CN101006677B (en) | Method and device for carrying out a cryptographic calculation | |
US10726108B2 (en) | Protecting the input/output of modular encoded white-box RSA | |
US9515820B2 (en) | Protection against side channels | |
JP5892887B2 (en) | How to counter side-channel attacks | |
EP2293487A1 (en) | A method of diversification of a round function of an encryption algorithm | |
EP1557740A2 (en) | Methods, circuits and computer program products for processing masked data in an advanced encryption system | |
JP2008516502A (en) | Method and apparatus for automatically generating a cryptographic set of instructions and code generation | |
JPWO2006077651A1 (en) | Encryption processor with tamper resistance against power analysis attacks | |
JP2000182012A (en) | Information processor and end tamper processor | |
JP2020510879A (en) | Elliptic curve point multiplication device and method | |
EP3667647A1 (en) | Encryption device, encryption method, decryption device, and decryption method | |
JP2020515093A (en) | Computing device for coded addition | |
CN105814833B (en) | Method and system for secure data transformation | |
JP4153665B2 (en) | Method for protecting one or more electronic devices using the same secret key encryption algorithm, use of the method and electronic device | |
CN106936822B (en) | Mask implementation method and system for resisting high-order bypass analysis aiming at SMS4 | |
Ming et al. | A secure and highly efficient first-order masking scheme for AES linear operations | |
KR101203474B1 (en) | Process of security of a unit electronic unit with cryptoprocessor | |
Scripcariu et al. | On the substitution method of the AES algorithm | |
JP2019530352A (en) | How to counter secondary and higher DCA attacks on table-based implementations | |
Ghellar et al. | A novel AES cryptographic core highly resistant to differential power analysis attacks | |
JP2015082077A (en) | Encryption device, control method, and program | |
EP2293488B1 (en) | Method for cryptographic processing of data units |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
A131 | Notification of reasons for refusal |
Free format text: JAPANESE INTERMEDIATE CODE: A131 Effective date: 20100601 |
|
A601 | Written request for extension of time |
Free format text: JAPANESE INTERMEDIATE CODE: A601 Effective date: 20100831 |
|
A602 | Written permission of extension of time |
Free format text: JAPANESE INTERMEDIATE CODE: A602 Effective date: 20100907 |
|
A521 | Request for written amendment filed |
Free format text: JAPANESE INTERMEDIATE CODE: A523 Effective date: 20101126 |
|
TRDD | Decision of grant or rejection written | ||
A01 | Written decision to grant a patent or to grant a registration (utility model) |
Free format text: JAPANESE INTERMEDIATE CODE: A01 Effective date: 20101221 |
|
A01 | Written decision to grant a patent or to grant a registration (utility model) |
Free format text: JAPANESE INTERMEDIATE CODE: A01 |
|
A61 | First payment of annual fees (during grant procedure) |
Free format text: JAPANESE INTERMEDIATE CODE: A61 Effective date: 20110113 |
|
FPAY | Renewal fee payment (event date is renewal date of database) |
Free format text: PAYMENT UNTIL: 20140121 Year of fee payment: 3 |
|
R150 | Certificate of patent or registration of utility model |
Ref document number: 4668985 Country of ref document: JP Free format text: JAPANESE INTERMEDIATE CODE: R150 Free format text: JAPANESE INTERMEDIATE CODE: R150 |
|
S533 | Written request for registration of change of name |
Free format text: JAPANESE INTERMEDIATE CODE: R313533 |
|
FPAY | Renewal fee payment (event date is renewal date of database) |
Free format text: PAYMENT UNTIL: 20140121 Year of fee payment: 3 |
|
R350 | Written notification of registration of transfer |
Free format text: JAPANESE INTERMEDIATE CODE: R350 |
|
R250 | Receipt of annual fees |
Free format text: JAPANESE INTERMEDIATE CODE: R250 |
|
R250 | Receipt of annual fees |
Free format text: JAPANESE INTERMEDIATE CODE: R250 |
|
R250 | Receipt of annual fees |
Free format text: JAPANESE INTERMEDIATE CODE: R250 |
|
R250 | Receipt of annual fees |
Free format text: JAPANESE INTERMEDIATE CODE: R250 |
|
R250 | Receipt of annual fees |
Free format text: JAPANESE INTERMEDIATE CODE: R250 |
|
R250 | Receipt of annual fees |
Free format text: JAPANESE INTERMEDIATE CODE: R250 |
|
R250 | Receipt of annual fees |
Free format text: JAPANESE INTERMEDIATE CODE: R250 |
|
R250 | Receipt of annual fees |
Free format text: JAPANESE INTERMEDIATE CODE: R250 |
|
R250 | Receipt of annual fees |
Free format text: JAPANESE INTERMEDIATE CODE: R250 |
|
LAPS | Cancellation because of no payment of annual fees |